How we protect
your data.

All applicant data, document files, and database contents are encrypted at rest using AES-256, provided by Supabase (PostgreSQL) and Supabase Storage.

TLS 1.2+ enforced on every connection between browsers, the TenantFort application (hosted on Vercel), Supabase, Stripe, Resend, and Anthropic.

Each landlord organization's data is isolated at the database row level. RLS policies on every table ensure one organization cannot read another's properties, applicants, documents, leases, or payments.

Applicant documents in storage are accessed via signed URLs that expire. They are never publicly browsable.

Account access is gated by Supabase Auth. Passwords are hashed (bcrypt). Session tokens use httpOnly, Secure cookies.

Within an organization, users have roles (owner, admin, manager, viewer). Each role has scoped permissions for properties, applications, leases, billing, and team management.

TOTP-based MFA enrollment is available to every landlord account from Settings → Security. Enterprise plans can require MFA for the entire organization — un-enrolled users are routed to the enrollment flow on next sign-in and blocked from the dashboard until they complete it.

SSO via Google Workspace, Okta, Azure AD, or custom SAML is available on the Enterprise tier.

Every screening decision is logged with the criteria applied, the timestamp, and the acting user. The audit trail is queryable by the organization.

Each AI document review records the model, prompt version, and the structured assessment, attached to the document for review.

Account-level actions (role changes, key rotations, webhook updates) are written to the audit trail.

Manual review of unusual patterns. Automated rate-limiting on public endpoints. Formal anomaly detection is on the roadmap.

Application hosted on Vercel (US regions, edge network). Database and file storage on Supabase (US regions). Both are SOC 2 Type II audited platforms.

Database backups are managed by Supabase: daily automated backups with point-in-time recovery available on the Pro tier.

Dependencies are monitored for known vulnerabilities. Critical security patches are applied within 7 days of disclosure; high-severity within 30.

TenantFort the company is not yet SOC 2 audited. Both Vercel and Supabase, our hosting providers, are SOC 2 Type II audited. We will publish our own SOC 2 attestation when complete.

Independent third-party penetration testing is planned ahead of broad enterprise rollout. Currently, we run internal security reviews on every release.

Adverse action notices generated by TenantFort include the disclosures required by 15 U.S.C. § 1681 et seq. Landlords using the platform must obtain proper applicant authorization and use the data only for permissible purposes.

Applicant consent is captured for AI document analysis, public records cross-reference, and verification outreach. Cross-border transfer notice is provided. Provincial privacy law obligations (Quebec Law 25, BC PIPA, Alberta PIPA) are reviewed for jurisdictional applicability.

Every screening decision logs the exact criteria applied so an organization can demonstrate consistent treatment across applicants for the same property.

Applicants and tenants can request access, correction, or deletion of their personal data via info@tenantfort.com. Requests are honored within 30 days, subject to legal record-retention obligations.